Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Every now and then a would-be criminal online picks the wrong potential victim. I was recently selling a 1995 Ford Escort on the site Craigslist.com and had a number of interested buyers. One such candidate offered a $500 IOU plus a six-month supply of tile grout. Luckily, he never showed up. Another potential buyer, by the name of Amanda Q. McCombs, wrote:
I want to buy it, where are you exactly located? any damage any rust? AMANDA Q MCCOMBS SENT FROM MY IPHONE at 12:22:13
I wrote back:
hi amanda, there is no rust. typical wear for a 95 car. and the damage is only those things i listed in the advertisement. The biggest thing is the transmission and 2nd gear slippage. it is not noticeable if driven easy. i am located off of **th street in redmond. thanks for your interest!
Clicking on the link in the message led me to a page resembling an account login for Craigslist:
If you look closely at the URL, it has nothing at all to do with Craigslist:
This was a spear phishing attack, and I would have been a victim had I entered my user name and password. Though this attempt would not have fooled most Internet-savvy people, it would have fooled my mom. Here is a link that more fully describes this type of attack:
And what exactly could Amanda have done with my Craigslist account? She could view all my postings (information disclosure). She could hijack my account by changing the password. She could silently monitor all my future activities and perhaps find out what area I live in, what types of belongings I have, and what services I provide or want to buy. If I post to the personals, she could know what types of people I am interested in dating or activities I would like to pursue. This information could be leveraged for an even more targeted spear-phishing attack.
Amanda could, in addition, start trying to break into my email account; if I used the same password for both accounts, this would be easy. So compromising my Craigslist account could be an important starting point for a more thorough theft of my identity.
In this failed attack, there were a few pieces of information I had about Amanda: her "from" email address (ending in @live.com), her "reply-to" email address (ending in @insightbb.com), and the phishing website to which she was trying to lead me to (hosted on cralgsIist.com).
If something similar happens to you, you can take the following action (as I did):
At this point, I received acknowledgements from the above agencies/companies regarding my complaints.
Criminals can phish with near-impunity -- one of the reasons these types of attacks are prevalent. Follow some basic safety precautions to help prevent your credentials from being given to untrustworthy parties: